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Claims 

1. A method for maintaining a secure tunnel in a packet-based 
communication system, the method comprising the steps of: 

5 - establishing a secure tunnel between a security gateway and a 

mobile terminal being located at a first address in a first network, wherein the 
security gateway connects the first network to a second network and the 
mobile terminal has a second address that identifies the mobile terminal in the 
second network; 

10 - in the security gateway, identifying the secure tunnel based on the 

second address in packets destined for the mobile terminal from the second 
network; 

- detecting a change in the first address of the mobile terminal; 

- in response to the detecting step, sending an update message to the 
15 security gateway, wherein the update message includes a new address value 

of the first address; and 

- based on the update message, updating the first address associated 
with the secure tunnel. 

2. A method according to claim 1, wherein the first network is a public 
20 packet network and the second network is a private packet network. 

3. A method according to claim 1 , wherein the update message is a 
normal data message to be transmitted to the security gateway when the 
change is detected. 

4. A method according to claim 1 , wherein the sending step includes 
25 creating a dummy packet and sending it as the update message to the security 

gateway. 

5. A method according to claim 1 , wherein the sending step includes 
creating an update message including a NAT-D payload for detecting a 
network address translation device between the mobile terminal and the 

30 security gateway. 

6. A mobile terminal for a packet-based communication system, the 
mobile terminal comprising: 

- tunnel establishment means for establishing a secure tunnel to a 
security gateway through a packet network; wherein the security gateway is 
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configured to connect a first network to a second network and the mobile 
terminal has a first address that depends on its current location in the first 
network and a second address that identifies the mobile terminal in the second 
network; and 

5 - address update means for sending an update message through said 

secure tunnel to the security gateway when the first address changes, wherein 
the update message includes a new address value of the first address. 

7. A mobile terminal according to claim 6, wherein the address update 
means are configured to create a dummy packet if there is no data to be sent 

1 0 through the secure tunnel when the first address changes. 

8. A mobile terminal according to claim 6, wherein the address update 
means are configured to create an update message including a NAT-D 
payload for detecting a network address translation device between the mobile 
terminal and the security gateway. 

15 9. A security gateway for a packet-based communication system, the 

security gateway comprising: 

- tunnel establishment means for establishing a secure tunnel to a 
mobile terminal located at a first address in a first network, wherein the security 
gateway is configured to connect the first network to a second network and the 

20 mobile terminal has a second address that identifies the mobile terminal in the 
second network; 

- identification means for identifying the secure tunnel based on the 
second address in a packet originated from the second network and destined 
for the mobile terminal; and 

25 - address update means for updating the first address associated with 

the secure tunnel, the address update means being responsive to a message 
received from the mobile terminal, the message including a new value of the 
first address. 

10. A system for maintaining a secure tunnel in a packet-based 
30 communication system, the system comprising: 

- tunnel establishment means for establishing a secure tunnel 
between a security gateway and a mobile terminal being located at a first 
address in a first network, wherein the security gateway is configured to 
connect the first network to a second network and the mobile terminal has a 

35 second address that identifies the mobile terminal in the second network; 
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- detection means for detecting a change in the first address; 

- first address update means, responsive to the detection means, for 
sending an update message to the security gateway, wherein the update 
message includes a new address value of the first address; 

5 - in the security gateway, second address update means for updating 

the first address associated with the secure tunnel in response to the update 
message; and 

- in the security gateway, identification means for identifying the 
secure tunnel based on the second address in a packet originated from the 

1 0 second network and destined for the mobile terminal. 

11. A computer useable medium having computer readable program 
code embodied therein to enable a mobile terminal to communicate with a 
security gateway in a packet-based communication system, the computer 
readable program code comprising: 

1 5 - computer readable program code for causing the mobile terminal to 

establish a secure tunnel to a security gateway through a packet network; 
wherein the security gateway is configured to connect a first network to a 
second network and the mobile terminal has a first address that depends on its 
current location in the first network and a second address that identifies the 

20 mobile terminal in the second network; and 

- computer readable program code for causing the mobile terminal to 
send an update message through said secure tunnel to the security gateway 
when the first address changes, wherein the update message includes a new 
address value of the first address. 

25 12. A computer useable medium having computer readable program 

code embodied therein to enable a mobile terminal to communicate with a 
security gateway in a packet-based communication system, the security 
gateway being configured to connect a first network to a second network, the 
computer readable program code comprising: 

30 - computer readable program code for causing the mobile terminal to 

send an update message through a secure tunnel to the security gateway 
when a first address that depends on the mobile terminal's current location in 
the first network changes, wherein the update message includes a new 
address value of the first address. 



35 



